Rely on a private key rather than secret key + password in publish / publish setup

[alexarchambault]

For now, publish (and publish setup in https://github.com/VirtusLab/scala-cli/pull/926), when using Bouncycastle-based Scala CLI-managed keys rather than gpg, rely on a "secret key" plus a password to sign artifacts, like how sbt-ci-release deals with such keys. The Bouncycastle API offers a better way to handle those keys: using "private keys". In the Bouncycastle API (I guess that terminology must not be specific to it), "private keys" are "clear" keys (can be used without a password to sign or encrypt things), while "secret keys" are private keys protected by a password.

When we upload a key as GitHub release asset, or when we generate one and keep it in the Scala CLI config, there's no need to keep a secret key plus a password - just a private key would do. That way, in publish setup, we should only need to create a GitHub repository secret for the private key, rather than one for the secret key and one for its password.